"blue"-clients only internet and no WUI-access

Hello community,

my original goal was to prevent clients from the blue network from gaining access to the WUI, but to get internet access.

When implementing the scenario, I encountered inconsistencies that fit both the WiFi category and the documentation.

SETUP: I have set the default behavior of the firewall for forwarding and input to blocked.

From my administrative point of view, a MAC filter is not helpful for guests in the WLAN at home, so I deactivated it accordingly https://wiki.ipfire.org/configuration/firewall/accesstoblue. To enable access to the Internet, I created a firewall rule in the forwarding chain for access from BLUE to RED.
In this state, it is possible to access the WUI from a client registered in the blue network, although the standard guideline for input is blocked and no firewall rule is defined for the input chain. This means that there must be other default rules that I have not yet known. In the search for it I have rudimentary familiarized myself with iptables.
My question 1: There must be documentation of the default entries of iptable and their purpose for each release of IPFire. Where can I find this documentation section for the current version 144?

Back to the scenario: How do I deactivate Blue’s access to the WUI?
According to https://wiki.ipfire.org/configuration/firewall/accesstoblue by defining a rule for the CUSTOMERINPUT chain in iptables, which has to be adapted according to your own network configuration.
I have the following questions:

  1. I assume that the IP in the wiki belongs to the blue interface of the IPFire. Why is it not indicated that a client in the blue network can still access the WUI via the green (or orange) interface to the IPFire?
  2. Why not solve the problem by creating a firewall rule in the WUI for the input chain that prohibits Blue access to all IPFire interfaces?

@jon: I will refer you to this thread because the wikipage was last changed by you and I assume that you are most familiar with the background.

Many thanks for your support.
Best regards

I have a firewall rule
Have not tested it.


  • Standard networks - Blue


  • Firewall - Blue


  • TCP Destination port 444

  • Drop or Reject what you more like

1 Like

Hello @hvacguy , @anon33261557,

Thank you for your answers. Deactivating access via the firewall rule is already clear.

In contrast to your suggestions, I specified the firewall with all networks as the destination, so that access by Blue to the Green Interface of the IPFire is blocked. (Forwarding from blue to green and input from green to the green interface of the ipfire works otherwise undesirably, which is what my two questions aimed at.)

Nobody can give me a hint about the default IPTABLE rules of IPFire, right?

many Greetings

You can have a look at




# iptables --list | more